Data subject rights


You have rights under the General Data Protection Regulation regarding the personal data that the Council processes about you.

What rights do I have?

  • Right to notification
  • Subject access rights
  • Right to be forgotten
  • Right to rectification
  • Right to restriction of processing
  • Right to portability
  • Right to object
  • Right to object to automated decision making
  • Right to complaint to supervisory body (the Information Commissioner)
  • Right to Judicial Remedy against supervisory body (the Information Commissioner)
  • Right to Judicial Remedy against the council
  • Right to compensation

How to exercise your rights

Right to notification

A privacy notice will be provided to you explaining how and why the Council intends to process your personal data. This ‘Privacy Notice’ will be based on the general statement on our website (link required here) but with details specific to the service you are involved with. This information will be on the website, on any form you complete or you will be told verbally over the phone.

When we first gather information from you we will confirm that

  • we are the data controller
  • let you know who our Data Protection Officer is and how to make contact
  • the legal basis for processing your data and the purpose(s) we will use it for
  • any consequences of you not providing all the data requested
  • who we share this with and how long we keep them for
  • we will let you know your rights to have data rectified, to be forgotten, to portability, to object to processing and to complain
  • we will let you know if the data will be subject to any automated decision making
  • transfers outside European Economic Area
  • if the data was not provided by you, the identity of the source and the categories of data we hold

If we intend to use your data for a purpose other than that which we initially intended we will also issue you a further privacy notice prior to processing.

Subject access rights

You can ask for a copy of the data we hold on you. This applies to any personal data that we hold and we can tell you what data and what categories of data we hold.

To help us do this, we will ask you to tell us which services are likely to hold your data. You will need to provide proof of your identity so that we can ensure that the correct data is provided to you and that your data and the data of others is adequately protected. We will let you know the purpose(s) the data is processed for, and any other organisations we share the data with, also if any data we hold is collected from other sources. There is no charge for a Subject Access Request.

We have set periods (or retention schedules) that we hold data for, which vary depending on the service and we will tell you how long we will hold data for each relevant service. We will also tell you the legal basis we have for processing the data.

The data we hold is safely stored and processed. If any of your data is transferred outside the European Economic Area and to a territory without adequate security we would let you know but we do not believe we hold any data that falls into this category.

If your data is processed and automated decisions made or we conduct any profiling, we will also let you know of this. Further details on your rights regarding automated decisions and examples of when this may occur can be found at section viii. And we will let you know your rights to rectify inaccurate or incomplete data, to object to processing, restrict access to your data and to complain.

To make a Subject Access Request, you must make a written request. You can download a copy of our Subject Access Request application form for completion and return by post, by using the link below.

Right to be forgotten

This allows you to request that we delete our records or some of our records in so far as they identify you, for example

  • where your personal information is no longer needed for the reason that it was collected for
  • where you have removed your consent for us to use your information (where there is no other legal reason us to use it)
  • where there is no legal reason for the use of your information
  • where deleting the information is a legal requirement

Where your personal information has been shared with others, we’ll do what we can to make sure that those using your personal information comply with your request for erasure.

The Right to be forgotten does not apply in all circumstances and we can’t delete your information where

  • we’re required to have it by law
  • it is used for freedom of expression
  • it is used for public health purposes
  • it is for, scientific or historical research, or statistical purposes where it would make information unusable; or it is necessary for legal claims

Right to rectification

This allows you to request the correction of inaccuracies in your personal data, if you believe the data held by the Council is not accurate. We may not always be able to change or remove the information, but we’ll correct factual inaccuracies and may include your comments in the record to show that that you disagree with it.

Right to restriction of processing

This allows you to request that access to your personal is limited in certain circumstances, if you are contesting the accuracy of the data on record and we are seeking to verify it. You have the right to ask us to restrict what we use your personal information for where 

  • you have identified inaccurate information, and have told us of it
  • where we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether 

When information is restricted it can’t be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interests of the UK. Where restriction of use has been granted, we’ll inform you before we carry on using your personal information.

Right to portability

This allows you to be provided with a copy of your data in an accessible electronic format. However this only applies if we’re using your personal information with your consent (not if we’re required to by law) and if decisions were made by a computer and not a human being.

It is likely that data portability won’t apply to most of the services provided by the Council.

Right to object

You have the right to object to the Council’s processing of your personal data if you dispute the legal basis on which it is processing data.

You have the right to ask us to stop using your personal information for any service that the Council provides. However, requests may cause delays or prevent us delivering that service. Where possible we’ll seek to comply with your request, but we may need to hold or use information because we are required to by law.

Right to object to automated decision making

This allows you to object to having decisions made by an automated process, where decisions are made by machine calculation of data held by the Council. 

You can ask to have any computer made decisions explained to you and details of how we may have ‘profiled’ you. You have the right to question decisions made about you by a computer, unless it’s required for any contract you have entered into, required by law, or you’ve consented to it. You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain things in your personal information, e.g. your health conditions.

If the Council uses your personal information to profile you, in order to deliver the most appropriate service to you, you will be informed. If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer who’ll be able to advise you about how we using your information.

Right to complaint to supervisory body (the Information Commissioner)

You have the right to complain to the Information Commissioner if you believe that the processing of your personal data infringes the General Data Protection Regulation.

Right to Judicial Remedy against Supervisory Body (the Information Commissioner)

You have the right to seek a judicial remedy against the Information Commissioner without prejudicing any other administrative or non-judicial remedy about a binding decision of the commissioner or if the Commissioner does not handle a complaint within three months. This is likely to be achieved in a tribunal.

Right to Judicial Remedy against the Council

You have the right to seek a judicial remedy against the council, without prejudicing any other administrative or non-judicial remedy about the processing of your data where you believe the data processing did not comply with the GDPR. This can be achieved in the County Court or High Court in England.

Right to compensation

You have a right to receive compensation from the controller or processor if you have suffered material or non-material damage as a result of an infringement of the GDPR. Such a claim can be made in the County Court or High Court.

How to exercise your rights

If you are dissatisfied with our handling of your personal data or how the Council has dealt with your data subject rights, you can complain to our Data Protection Officer and the Information Commissioner's Office. You can also seek judicial remedy in some circumstances.

The Council will respond to your request to exercise any of the above rights as soon as possible and within one month (30 days) of your request. If this is not possible due to the complexity or size of the request we will let you know. In exceptional circumstances the Council can extend the timescale to 3 months or 90 days. We will let you know why if this is the case.

How to contact the ICO


The Information Commissioner's Office (ICO) can be contacted as follows.


Telephone 0303 123 1113
Email registration@ico.org.uk

Or you can write to them at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

How to contact us


The Council’s Data Protection Officer can be contacted as follows.


Telephone 01992 564180
Email dataprotection@eppingforestdc.gov.uk

Or you can write to us at:
Data Protection Officer, Epping Forest District Council, High Street, Epping, Essex CM16 4BZ